Roaming phones have pinged SS7 since before the first Star Wars film hit theaters — and nobody meaningfully fixed it. SS7, or Signaling System 7, is the 1970s Phone Protocol routing calls, texts, and roaming connections across international carriers worldwide. It transmits data in plaintext. It lacks real authentication. According to a March 2026 investigation by National Security News, Iran’s Revolutionary Guard Corps allegedly turned that neglected infrastructure into a missile guidance tool, exploiting interconnections between Iranian and Gulf telecom networks to track U.S. military personnel across the region.
The result was not theoretical. Satellite imagery assessments by the New York Times and Washington Post document Iranian strikes on at least seven U.S. military installations, deliberately targeting communication terminals, radar systems, and hypersonic missiles and air-defense infrastructure at Al Udeid Air Base, Camp Arifjan, and the Fifth Fleet headquarters in Bahrain.
How a Phone Query Becomes a Target Package
A 40-year-old signaling command — no malware required — can reveal which cell tower a phone is using, and that turns out to be enough.
Through MTN Irancell‘s legitimate interconnect agreements with Gulf telecom carriers, IRGC signals intelligence units reportedly tapped SS7 signals reaching U.S. bases in Qatar, Bahrain, and Kuwait. The mechanics are disturbingly mundane:
- Standard SS7 commands — Send Routing Information and Provide Subscriber Information — reveal which cell tower a phone is currently using.
- Bulk queries on numbers clustered near military installations built digital movement signatures: shift patterns, operational tempo, off-base housing locations.
- Cell-level accuracy narrows location to hundreds of meters in dense urban areas like Manama and Doha — enough to confirm whether a surge of U.S.-linked phones moved into a specific base.
- Ad-tech location data from real-time bidding platforms reportedly served as a parallel tracking vector, though public documentation remains thinner than the SS7 evidence.
- Layered with commercial satellite imagery, these feeds created a targeting picture no single source could provide alone.
“We definitely observe geopolitical adversaries abusing SS7 weaknesses with impunity,” SS7 researcher Karsten Nohl stated, as reported by Techdirt.
The Surveillance Stack Behind the Strikes
Iran did not improvise this capability — it built the whole infrastructure at home first, then turned it outward.
Most states dabble in telecom exploitation. Iran built the entire capability in-house. Leaked manuals analyzed by The Intercept revealed SIAM, a domestic system granting Iranian authorities secretly tracking users via turnkey access to location histories, call metadata, IP addresses, and Wi-Fi connection records. Filter Watch documented IMSI-catchers deployed against protesters in Isfahan as recently as 2025 — a tactic also seen in the broader use of a surveillance app developed to target specific populations. This is a regime that spent years tracking its own citizens before directing those same capabilities against foreign military targets.
CISA guidance recommends encrypted messaging apps over SMS, FIDO-based authentication, and carrier account PINs. None of those stop SS7 location tracking, which operates at the network level — well beneath anything visible on your screen. Expect stricter personal device controls at forward bases and accelerated pressure to retire aging 2G and 3G infrastructure.
The protocol quietly confirming your WhatsApp delivery receipt reportedly helped locate troops across the Gulf.




























